When you get started with any technology, it initially becomes difficult to understand the terms involved and that creates a confusion. Similarly, when you get started with Azure, you will definitely come across the terms that might be a little confusing and it’s prudent to have a good understanding of those key terms before you embark on your journey to learn and work on Azure. In this post, we will learn about Tenant, Subscription, etc. Let’s get started with Tenant.
A Tenant refers to a single dedicated and trusted instance of Azure Active Directory and it gets created automatically when you sign up for a Microsoft cloud service subscription. In broader terms, when your organization signs up for cloud service subscription. A tenant, therefore, represents a single organization, identity, or a person.
The Azure AD tenant provides a single place to manage users, groups and their permissions for the applications published in the Azure AD. Azure Active Directory can be used to manage permissions for Office 365, Dynamics 365, and Azure as well. Azure AD can also be used to control access to many other third-party applications registered with Azure AD. To manage the permissions for an application using Azure AD, the application must be registered in Azure Active Directory.
Azure AD Tenants have globally unique names and, therefore, have a unique id (tenant GUID). In general, an Azure AD tenant name ends with ‘onmicrosoft.com’, for example – atcsl.onmicrosoft.com, where ‘atcsl’ may be the name of an individual or an organization. In essence, a single tenant corresponds to a single instance of Azure Active Directory.
Although when an organization or an individual signs up for the first time, only a single tenant is created and associated, but multiple tenants can be created after signing up and, therefore, an organization can have more than one tenant, depending upon organizational requirement. Each tenant has its own Azure Active Directory, thereby having a one-to-one relation between the tenant and the Azure AD, where each tenant is referred to as an organization. In a single tenant, resources within the tenant have access to other services and resources within that tenant, whereas, when the resources within a tenant have access to other resources and services in a shared environment across multiple organizations (i.e., multiple tenant), they are considered as multi-tenant.
Let’s try to understand that with an example. There is a holding company called Globomantics. This company decides to have 2 different tenants for its 2 subsidiaries.
- one tenant for subsidiary Contoso having subscriptions for Dev and Prod, and
- one tenant for subsidiary Fabrikam, again having subscriptions for Dev and Prod
These two tenants may be required based on Globomantics internal organizational requirements in order to have maximum separation of concerns as well as have different settings and configurations for the two subsidiaries, which can be based on different geographies or regions.
As shown in the image above, a Tenant can have one or more subscriptions. This is the case in large organization, where there are different departments and each department has their own subscription, whereas, a Subscription can only be associated with a single Azure AD Tenant at any time.
A Subscription in Azure can be considered as a logical container into which the resources and services can be created, configured, and installed. For example – Virtual Machines, Web Apps, Storage Accounts, Automations, Functions, Logic Apps, etc. As stated earlier, a Tenant can have one or more Subscriptions that depends on organizational requirements and each Subscription has a name, and like Tenants, have a unique identity, called as Subscription ID
Although the fine-grained permissions for individual resources can be managed from within the resource using Role Based Access Control (RBAC), Subscriptions can also be used for coarse-grained access at the subscription level that percolates down to individual resources. Also, the usage costs are managed at the Subscription level for all the resources and services being configured within that subscription. You can also choose to change the Tenant for a Subscription, which is in turn also moves the resources within the Subscription to the new Tenant.
One important point is that the Subscriptions are not tied to a particular Azure Region, which means that the Subscription can contain resources from any Region. This also does not mean that you can create resources in all the Azure Regions, as a few geographies and regions may be restricted and the Resources within a Subscription that are deployed to different Regions will incur applicable cross-Region costs for that resource.
Hope you now have a better understanding of Azure Tenant and Azure Subscription and how they relate to each other.